External RADIUS

The Setting External RADIUS Screen displays information about all configured UPAM External RADIUS Servers and is used to create, edit, and delete a server.

Creating an External RADIUS Server

Click on the Add icon, complete the fields as described below and click on the Create button. You can create up to eight (8) external RADIUS Servers.

• Server Name - Pre-filled with “Default Server” (cannot be modified).
• Host Name/IP Address - External Radius Server host name/IP address (4 - 64 characters)
• Back Host Name/IP Address - Back up external radius server host name/IP address, if applicable (4 - 64 characters)
• Retries - Number of times UPAM will attempt to reconnect to the External Radius Server when the connection timeout occurs before concluding that the External Radius Server is unreachable. (range = 1 – 3, Default = 3)
• Timeout - The amount of time, in seconds, that UPAM will attempt a connection to the External Radius Server before timing out. (Range = 1 – 30, Default = 5)
• Shared Secret - Shared key that UPAM uses to communicate with External Radius Server. (4 - 64 characters)
• Confirm Secret - Re-enter to confirm the shared secret key. (4 - 64 characters)
• Authentication Port - TCP/UDP port used to perform authentication. (Range – 1 – 65535, Default = 1812)
• Accounting Port - TCP/UDP port used to perform accounting. (Range – 1 – 65535, Default = 1813)
• Require Message Authenticator - Enables/Disables UPAM checking for the Message-Authenticator attribute in RADIUS response packets coming from the external RADIUS Server. Enabling the Require Message Authenticator check is the recommended setting to prevent attempts to forge authentication responses by spoofing UDP-based RADIUS response packets. Checking for this attribute is also configurable when defining a RADIUS Authentication server. Refer to Message-Authenticator Check Use Cases for more information.
  • Enabled - Checks for the Message-Authenticator attribute and drops any response packets that do not contain this attribute.
  • Disabled - Does not check for the Message-Authenticator attribute in RADIUS response packets.
• UPAM-IP as Proxy for NAS-IP - Enables/Disables UPAM to act as the NAS-IP proxy to an external RADIUS Server. When enabled, the specified UPAM IP address is used as the NAS-IP before RADIUS Packets are forwarded to an external RADIUS Server. The following fields are displayed for configuration when this function is enabled:
  • UPAM-IP Type - Select Private IP Address or Public IP Address to use for the NAS-IP proxy.
    • Private IP Address - The UPAM IP address is used as the proxy address.
    • Public IP Address - Enter the IP address to use as the proxy in the UPAM-IP Address field.
  • UPAM-IP Address - The Private or Public IP address to use as the NAS-IP proxy. If Private IP address is used, this field defaults to the UPAM IP address and cannot be edited.

Editing an External RADIUS Server

Select a server in the External RADUIS List and click on the Edit icon. Edit the fields as described above, then click on the Apply button.

Deleting an External RADIUS Server

Select a server(s) in the External RADUIS List and click on the Delete icon. Click on OK at the Confirmation Prompt.

External RADUIS List

The External RADIUS Server List displays information about all configured UPAM External RADIUS Servers.

• Server Name - Pre-filled with “Default Server” (cannot be modified).
• Host Name/IP Address - External Radius Server host name/IP address (4 - 64 characters)
• Back Host Name/IP Address - Back up external radius server host name/IP address, if applicable (4 - 64 characters)
• Retries - Number of times UPAM will attempt to reconnect to the External Radius Server when the connection timeout occurs before concluding that the External Radius Server is unreachable. (range = 1 – 3, Default = 3)
• Timeout - The amount of time, in seconds, that UPAM will attempt a connection to the External Radius Server before timing out. (Range = 1 – 30, Default = 5)
• Authentication Port - TCP/UDP port used to perform authentication. (Range – 1 – 65535, Default = 1812)
• Accounting Port - TCP/UDP port used to perform accounting. (Range – 1 – 65535, Default = 1813)
• -IP as Proxy for NAS-IP - Whether UPAM acting as the NAS-IP proxy to an external RADIUS Server is enabled or disabled.
• Require Message Authenticator - Whether UPAM checking for the Message-Authenticator attribute in RADIUS response packets coming from the external RADIUS server is enabled or disabled.